The great thing about Object Oriented code is that it can make small, simple problems look like large, complex ones

09 F9 11 02
9D 74 E3 5B
D8 41 56 C5
63 56 88 C0
Some people, when confronted with a problem, think "I know, I'll use regular expressions." Now they have two problems. -- Jamie ZawinskiDetavil - the devil is in the detail, allegedly, and I use the term advisedly, allegedly ... oh, no, wait I did ...BIT COINS ANYONE

The great thing about Object Oriented code is that it can make small, simple problems look like large, complex ones

09 F9 11 02
9D 74 E3 5B
D8 41 56 C5
63 56 88 C0
Some people, when confronted with a problem, think "I know, I'll use regular expressions." Now they have two problems. -- Jamie ZawinskiDetavil - the devil is in the detail, allegedly, and I use the term advisedly, allegedly ... oh, no, wait I did ...BIT COINS ANYONE

My Agile Web Development with Rails just arrived yesterday night. I opened the book this morning and by strange coincidence, I opened it on page 345 which had the exact answer.

h() is short for html_escape() in the rails framework. You can use either h() or html_escape(), but most rails programmers use h() by convention, because it saves them some typing. Basically, you can use this method to html_escape any data. Why should you do this? What if your product description has a & in it. To output an & into your browser, the HTML should have &amp; instead of &. Similarly, you should have &lt; and &gt; instead of < and > in your code. Using h() will convert & to &amp; and < and > to &lt; and &gt; and other such conversions.

There are more security implications too. Consider the following rails code:

Code:

Name is <%= params[:name] %>

where name is entered by the user from a form. Normally, you would expect users to just enter their name (say "Joe Schmoe") and it would show the page like this:

Code:

Name is Joe Schmoe

Now, what if the user enters their name like this:
%3Ch1%3EJoe Schmoe%3C/h1%3E
The funky stuff is URL encoded HTML for <h1>Joe Schmoe</h1> and thus our page will show the text in big font, when we didn't mean it to. Of course, the person could do something a lot worse instead by entering some javascript instead and execute a cross side scripting attack.

To prevent this, it is a good idea to html escape the output. You can use:

Code:

Name is <%= h(params[:name]) %>

and it will HTML encode the output safely, so it can't be exploited.

Incidentally, rails also provides the sanitize() method. The sanitize method takes a string and cleans up any dangerous HTML elements. <form>, <script> are escaped, any on= attribs (onclick=, onselect= etc.) and links with javascript: tags are removed.

The great thing about Object Oriented code is that it can make small, simple problems look like large, complex ones

09 F9 11 02
9D 74 E3 5B
D8 41 56 C5
63 56 88 C0
Some people, when confronted with a problem, think "I know, I'll use regular expressions." Now they have two problems. -- Jamie ZawinskiDetavil - the devil is in the detail, allegedly, and I use the term advisedly, allegedly ... oh, no, wait I did ...BIT COINS ANYONE